CVE-2015-0922
23Vexday Risk Score
Patch soon. It has a working public exploit.
ssvc Attendepss 13%
from disclosure to weapon0 days
Published on NVDJan 9
metasploitJan 6
exploitation probability
13%top 4% of all CVEs
observed exploitation
nono source reports it
McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password.
Affected products
n/a · n/aReferences
http://packetstormsecurity.com/files/129827/McAfee-ePolicy-Orchestrator-Authenticated-XXE-Credential-Exposure.htmlhttp://seclists.org/fulldisclosure/2015/Jan/37http://seclists.org/fulldisclosure/2015/Jan/8https://exchange.xforce.ibmcloud.com/vulnerabilities/99949https://gist.github.com/brandonprry/692e553975bf29aeaf2chttps://kc.mcafee.com/corporate/index?page=content&id=SB10095http://www.securityfocus.com/bid/72298http://www.securitytracker.com/id/1031519